Home page logo

basics logo Security Basics mailing list archives

Re: IIS 5 and client certificates
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 05 Nov 2002 00:22:24 -0600

On Fri, 2002-11-01 at 16:29, Chris Eidem wrote:
What I've tested:

- Anyone with our cert can reach the site with certs ignored or
accepted, no surprise.

- Anyone with our cert can reach the site with client cert mapping not
enabled.  Slightly surprising, as I would think that it would default to
no one being allowed access.

- Anyone with our cert can reach the site with client cert mapping
enabled and no 1-to-1 rules.  Again surprising.

- I added a second cert, and mapped it to a user that was not allowed
access to the default.html page.  That user was not allowed access, but
all other cert holders were allowed access.

- I added a Many-to-1 rule denying access to anyone with the following
certificate criterium:

     Issuer CN matches '<root CA text here>'

With this enabled, and the local Root CA installed, it matches what I
thought that it would do with just the client cert installed.

Since all the major CAs have their certificates installed into Windows
2000, IIS recognizes them and I fear that anyone with a valid cert may
be able to access a site. [...]


have you tried *removing* all other root certs from the root CA store of
the web server, leaving only your own root CA cert in the certificate

From what I understand, any certificate signed by a trusted root CA (so
by default, Verisign etc) are accepted, and the CN name used as a
username for authentication (or via the mapping, remapped to a different
ID). It seems to me that if you trust only your certificate, you would
need to to reduce the trust in the root CA store to just your root cert.


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
  • Re: IIS 5 and client certificates Frank Knobbe (Nov 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]